Skip to content
Posts en inglés. Usá el traductor del navegador para leerlos en tu idioma.

How to Secure Apache with Let's Encrypt on Ubuntu

Yammbo
· 4 min read
Copyright: CC BY-NC-SA 4.0
ubuntu ssl certbot apache tls hardening automatic certificate renewal free ssl
How to Secure Apache with Let's Encrypt on Ubuntu

Securing your website with HTTPS is crucial for protecting user data and building trust. Let's Encrypt provides free, automated, and open certificates, making it accessible for everyone to enable HTTPS. This tutorial guides you through the process of setting up Let's Encrypt certificates for your Apache web server on an Ubuntu system, ensuring your site communicates securely.

Prerequisites

Before you begin, ensure you have the following:

  • An Ubuntu 22.04, 24.04, or 26.04 LTS server with a non-root user configured for sudo privileges and a firewall (e.g., UFW).
  • A registered domain name with DNS A records pointing to your server's public IP address for both your main domain (e.g., your_domain.com) and its www subdomain (e.g., www.your_domain.com).
  • Apache installed and configured with a virtual host file for your domain, typically located at /etc/apache2/sites-available/your_domain.com.conf. This virtual host must have correct ServerName and ServerAlias directives.
  • The UFW firewall configured and enabled.

Step 1: Verify Your Server Environment

Before installing Certbot, it's good practice to verify your server's operating system and Apache configuration.

  1. Check Ubuntu Version: Confirm you are running a supported Ubuntu LTS release by executing:

    lsb_release -ds

    You should see output similar to Ubuntu 22.04.x LTS, Ubuntu 24.04.x LTS, or Ubuntu 26.04.x LTS.

  2. Confirm Apache Status: Ensure Apache is running correctly:

    sudo systemctl status apache2

    The output should indicate that the service is active (running).

  3. Verify Apache Virtual Host Configuration: Open your domain's virtual host file (e.g., /etc/apache2/sites-available/your_domain.com.conf) and ensure the ServerName and ServerAlias directives are correctly set to your domain and its www subdomain. For example:

    <VirtualHost *:80>ServerAdmin webmaster@localhostServerName your_domain.comServerAlias www.your_domain.comDocumentRoot /var/www/your_domain.comErrorLog ${APACHE_LOG_DIR}/error.logCustomLog ${APACHE_LOG_DIR}/access.log combined</VirtualHost>

    Replace your_domain.com with your actual domain name.

Step 2: Install Certbot

Certbot is the recommended client for obtaining and managing Let's Encrypt certificates. On modern Ubuntu versions, it's installed via Snap.

  1. Install Certbot via Snap:

    sudo snap install --classic certbot

    This command installs Certbot as a classic snap, ensuring it has the necessary permissions to interact with your system.

  2. Create a Symlink: The certbot command might not be immediately available in your system's PATH. Create a symbolic link to ensure it can be run from anywhere:

    sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 3: Adjust Firewall Settings

If you are using UFW, you need to allow HTTPS traffic through your firewall. Certbot requires port 80 to be open for initial domain validation, and port 443 for secure HTTPS traffic.

  1. Allow Apache Full Profile: The Apache Full UFW profile allows both HTTP (port 80) and HTTPS (port 443) traffic.

    sudo ufw allow 'Apache Full'

  2. Remove Redundant Apache Profile (if applicable): If you previously only allowed HTTP traffic with the Apache profile, you can remove it as Apache Full covers both.

    sudo ufw delete allow 'Apache'

  3. Verify Firewall Status: Check that your firewall rules are correctly applied:

    sudo ufw status

    You should see Apache Full listed as allowed.

Step 4: Obtain an SSL Certificate

Now that Certbot is installed and your firewall is configured, you can use Certbot to obtain and install your SSL certificate.

  1. Run Certbot for Apache:

    sudo certbot --apache

    Certbot will interactively guide you through the process:

    • It will ask for an email address for urgent renewal notices and security warnings.
    • You'll need to agree to the Let's Encrypt Terms of Service.
    • Certbot will detect your Apache virtual hosts and ask which domains you'd like to enable HTTPS for. Select the numbers corresponding to your domain and its www subdomain.
    • Finally, it will ask whether to redirect HTTP traffic to HTTPS. It's generally recommended to choose the redirect option to ensure all visitors access your site securely.

  2. Confirmation: If successful, Certbot will report that the certificate was installed and provide its expiry date. It will also modify your Apache configuration to include the SSL certificate and, if chosen, set up HTTP to HTTPS redirection.

Step 5: Harden TLS Configuration

While Certbot sets up basic HTTPS, you can further enhance your server's security by hardening its TLS configuration. This involves disabling older, less secure TLS protocols and enabling features like OCSP stapling and HTTP Strict Transport Security (HSTS).

  1. Edit Apache's SSL Configuration: Open the main SSL configuration file for Apache:

    sudo nano /etc/apache2/mods-available/ssl.conf

  2. Disable Older TLS Protocols: Locate the SSLProtocol directive and modify it to disable TLS 1.0 and TLS 1.1, which have known vulnerabilities. Your line should look similar to this:

    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

  3. Enable OCSP Stapling: OCSP (Online Certificate Status Protocol) stapling allows your server to provide a cached, signed OCSP response to clients, improving performance and privacy. Add or uncomment these lines:

    SSLUseStapling OnSSLStaplingCache